Menu
Grafana Cloud
Configure RBAC
Role-based access control (RBAC) for Grafana Enterprise and Grafana Cloud provides a standardized way of granting, changing, and revoking access, so that users can view and modify Grafana resources.
A user is any individual who can log in to Grafana. Each user is associated with a role that includes permissions. Permissions determine the tasks a user can perform in the system.
Each permission contains one or more actions and a scope.
Permissions
Grafana Alerting has the following permissions.
| Action | Applicable scope | Description |
|---|---|---|
alert.instances.external:read | datasources:*datasources:uid:* | Read alerts and silences in data sources that support alerting. |
alert.instances.external:write | datasources:*datasources:uid:* | Manage alerts and silences in data sources that support alerting. |
alert.instances:create | n/a | Create silences in the current organization. |
alert.instances:read | n/a | Read alerts and silences in the current organization. |
alert.instances:write | n/a | Update and expire silences in the current organization. |
alert.notifications.external:read | datasources:*datasources:uid:* | Read templates, contact points, notification policies, and mute timings in data sources that support alerting. |
alert.notifications.external:write | datasources:*datasources:uid:* | Manage templates, contact points, notification policies, and mute timings in data sources that support alerting. |
alert.notifications:write | n/a | Manage templates, contact points, notification policies, and mute timings in the current organization. |
alert.notifications:read | n/a | Read all templates, contact points, notification policies, and mute timings in the current organization. |
alert.rules.external:read | datasources:*datasources:uid:* | Read alert rules in data sources that support alerting (Prometheus, Mimir, and Loki) |
alert.rules.external:write | datasources:*datasources:uid:* | Create, update, and delete alert rules in data sources that support alerting (Mimir and Loki). |
alert.rules:create | folders:*folders:uid:* | Create Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query. |
alert.rules:delete | folders:*folders:uid:* | Delete Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query. |
alert.rules:read | folders:*folders:uid:* | Read Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query. |
alert.rules:write | folders:*folders:uid:* | Update Grafana alert rules in a folder and its subfolders. Combine this permission with folders:read in a scope that includes the folder and datasources:query in the scope of data sources the user can query. |
alert.silences:create | folders:*folders:uid:* | Create rule-specific silences in a folder and its subfolders. |
alert.silences:read | folders:*folders:uid:* | Read general and rule-specific silences in a folder and its subfolders. |
alert.silences:write | folders:*folders:uid:* | Update and expire rule-specific silences in a folder and its subfolders. |
alert.provisioning:read | n/a | Read all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. |
alert.provisioning.secrets:read | n/a | Same as alert.provisioning:read plus ability to export resources with decrypted secrets. |
alert.provisioning:write | n/a | Update all Grafana alert rules, notification policies, etc via provisioning API. Permissions to folders and datasource are not required. |
alert.provisioning.provenance:write | n/a | Set provisioning status for alerting resources. Cannot be used alone. Requires user to have permissions to access resources |
To help plan your RBAC rollout strategy, refer to Plan your RBAC rollout strategy.
Was this page helpful?
Related resources from Grafana Labs
Getting started with the Grafana LGTM Stack
In this webinar, we’ll demo how to get started using the LGTM Stack: Loki for logs, Grafana for visualization, Tempo for traces, and Mimir for metrics.
Intro to Kubernetes monitoring in Grafana Cloud
In this webinar you’ll learn how Grafana offers developers and SREs a simple and quick-to-value solution for monitoring their Kubernetes infrastructure.
Building advanced Grafana dashboards
In this webinar, we’ll demo how to build and format Grafana dashboards.